Forum Discussion
Elias_O_16228
Nimbostratus
NimbostratusSSL Server Offload - Serverside cipher
We are running LTM 10.2.3 with server ssl offload. Some of our clients browsers are running TLS1.2 and our server does not support TLS1.2. I wanted to customize serverside SSL to not use TLS1.2, to decrypt and recrypt with TLS1.1 on server end.
Not sure if this would work.
Regards
9 Replies
hoolioCirrostratus
Hi Elias,
That sounds like it should work. You should be able to specify separate cipher lists for the client and server SSL profiles:
sol8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
https://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html
Aaron
Elias_O_16228Aaron,
Thanks for your response. I guess my question should have been, "does BigIp use the same cipher on the serverside" encrption? I was of the opinion that if a client is connecting with TLS1.2, bigip will decrypt and reencrypt with the "same cipher" (TLS1.2) in its connection with the server. Otherwise, current clients shouldn't have problem connecting with TLS1.2.Regards
Elias
- Elias_O_16228I was thinking of doing something like this: !TLS1.2:ALL:@SPEED on the serverside profile, telling it to NOT USE TLS1.2 in its communication with Server.
Unfortunately, I don't have test environment to validate this. - hoolioHi Elias,
That seems like it should work. You might want to use 'NATIVE:!TLS1_2:@SPEED'. You can create a test virtual server on your existing LTM to test this. Or you could contact your F5 or partner SE and request an eval key for VE lab edition.
Aaron - Elias_O_16228"NATIVE:!TLS1_2:ALL:@SPEED" not accepted by the LTM (with space after Native and without space). [Note without quotes]
- hoolioSorry to hear that. It looks like there was a bug for this which was fixed in 10.2.4 and 11.2:
Bug 372901 - MCP validation on SSL cipher string out of sync with tmm
If you're not able to upgrade to 10.2.4 you could check for alternative options with F5 Support.
Aaron - Elias_O_16228Aaron, Thanks very much. You are awesome for Newbies like me.
Checked the bug ID http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13543.html
I have downloaded 10.2.4 in preparation for upgrade
Elias - hoolioGood to hear. Let us know how your testing goes.
Thanks, Aaron - Elias_O_16228Well, I just wanted to say that the upgrade went smoothly. it appears I am running into some minor issue that might be Bug. After upgrade to 10.2.4, I noticed that the software management >image list is showing "false" under product. This should show "Big IP". This also changed all existing images to "false" under Product. Though, when clicked on image detail, it shows "big IP" under product. I can understand if that only to the new code, but changing other images to "false" under product I could not understand. I have opened case with F5... will post out come when resolved.
Regards
Elias
